Cookies  and  Sessions 
Maintaining  State  in  HTTP 


High  Level  Summary 

• The  web  is  “stateless”  - the  browser  does  not  maintain  a connection 
to  the  server  while  you  are  looking  at  a page.  Yu  may  never  come 
back  to  the  same  server  - or  it  may  be  a long  time  - or  it  may  be  one 
second  later 

• So  we  need  a way  for  servers  to  know  “which  browser  is  this?” 

• In  the  browser  state  is  stored  in  “Cookies” 

• In  the  server  state  is  stored  in  “Sessions” 
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Welcome  to  SI539 


• About 

• Contact 

• Pictures 

• Membership 

• Chat 

• Application 


Please  Log  In 


-Required  Informati 
Enter  your  E-Mail: 


Enter  your  Password: 


|jniversity  of  Michigan  weblogin 


If  you  have  lost  your  password, 
membershlp@sl539.com  to  ha\ 


AUTHENTICATION  REQUIRED:: 

You  are  connecting  to  a U-M  website  that  requires 
authentication.  Please  enter  your  Login  ID  (uniqname  or 
Friend  ID)  and  password  to  continue. 

Need  a Login  ID? 

If  you  don't  have  a Login  ID,  you  can  create  one  now. 


Login  ID 
Password 
► MToken 


Forgot  your  password? 

Login  Help 


By  using  this  service  you  agree  to  adhere  to  U-M  computing  policies  and  guidelines. 


Some  Web  sites  always  seem  to  want  to  know  who  you  are! 


Home  Find  & Follow  Public  Timeline  Settings  Help  Sign  out 


What  are  you  doing? 

Hi,  your  profile 

drchuck 

pbbt  flickr 


Recent  Replies  Archive 


You  - Organize  Contacts  Groups  Explore 


$ 


dkeats  Spending  the  morning  with  the  eLearning  team  ■ 
innovation,  and  participation  in  a community  of  practic I 
Energizing.  3 minutes  ago  from  web  I 


Ni  hao  dr-chuck! 


■ 

■ 
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drchuck  Working  on  lecture  slides  - talking  about  cool 
sessions.  S minutes  ago  from  web  9 

MattH  Ordered  Urban  Fortunes  from  Amazon  because 
saying  it  said  things  I wasn't  at  all  agreeing  with.  Right, 
ago  from  twitterrific 

microdine  Back  from  walking  the  dogs.  Cleaned  them 
can,  but  they  don't  get  to  share  the  futon  tonight.  31  m 
from  web 


• You  have  1 new  message. 

• Find  vour  friends 


Flickr  News 

Flickr  is  more  fun  with  friends,  but  it  is  a big  busy 
place,  and  sometimes  it  can  be  hard  to  find  the  people  you 
know.  The  new  Find  Your...  read  more  news 


» Upload  Photos  (Or,  look  at  our  uploading  tools... t 


» Your  PhOtOS  fRecent  activity  / Comments  vouVe  made! 


» Flickr  Blog  Great  photos  & latest  news,  daily! 


» Photos  from  vour  Contacts 


Other  Web  sites  always  seem  to  know  who  you  are! 


Browser 


Click  Draw 


Click  Draw 


Server 


How  YouTube  sees  you... 


Browser 


Server 


How  you  see  YouTube... 


Multi-User 


• When  a server  is  interacting  with  many  different  browsers  at  the  same 
time,  the  server  needs  to  know  *which*  browser  a particular  request 
came  from 

• Request  / Response  initially  was  stateless  - all  browsers  looked 
identical  - this  was  really  really  bad  and  did  not  last  very  long  at  all. 


Web  Cookies  to  the  Rescue 


Technically ; cookies  are  arbitrary  pieces  of  data  chosen  by  the  Web 
server  and  sent  to  the  browser.The  browser  returns  them  unchanged  to 
the  server ; introducing  a state  (memory  of  previous  events)  into 
otherwise  stateless  HTTP  transactions.  Without  cookies , each  retrieval 
of  a Web  page  or  component  of  a Web  page  is  an  isolated  event , 
mostly  unrelated  to  all  other  views  of  the  pages  of  the  same  site. 


http://en.wikipedia.org/wiki/HTTP_cookie 


Cookies  In  the  Browser 


• Cookies  are  marked  as  to  the  web  addresses  they  come  from  - the 
browser  only  sends  back  cookies  that  were  originally  set  by  the  same 
web  server 

• Cookies  have  an  expiration  date  - some  last  for  years  - others  are 
short-term  and  go  away  as  soon  as  the  browser  is  closed 


1.  browser  requests  a Web  page 
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browser 


2.  server  sends  page+cookie 


| cookie  | 
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purge  action  ror  oroty  mous  users. 

Note:  The  information  on  this  page  is  not 
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3.  browser  requests  another  page 


cookie 
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http://en.wikipedia.org/wiki/HTTP_cookie 


Playing  with  Cookies 

• Firefox  Developer  Plugin  has  a set  of  cookie  features 

• Other  browsers  have  a way  to  view  or  change  cookies 
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Request  Response  Again! 


Cookies 

• Identifying  Individual  Users 

• The  Web  is  “stateless” 

• How  do  we  make  the  web  seem  not  to  be  stateless 


HTTP  Request  / Response  Cycle 


(Review) 


Web  Server 


HTTP 

Request 


HTTP 

Response 

> r 


Hello  there  my  name  is  ChucJ 
Go  ahead  and  click  on  here. 


Browser 

Internet  Explorer, 
Fire  Fox,  Safari,  etc. 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 

Web  Server  We  do  or  initial 

GET  to  a server.  The 
server  checks  to  see  if 
we  have  a cookie  with 
a particular  name  set. 
Since  this  our  first 
interaction,  we  have 
not  cookies  set  for  this 

HTTP  host- 

Request 


GET  /index.html  HTTP/ 1. 1 
Accept:  www/source 
Accept:  text/html 
User-Agent:  Lynx/2.4 

Browser 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 


Web  Server 

GET  /index.html  HTTP/ 1. 1 ▲ 


Accept:  www/source 
Accept:  text/html 
Cookie:  sessid=  123 
User-Agent:  Lynx/2.4 

HTTP 

Request 


Browser 

host:  sessid=  123 


From  that  point 
forward,  each  time  we 
send  a GET  or  POST 
to  the  server,  we 
include  any  cookies 
which  were  set  by  that 
host. 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 


Along  with  the  rest  of 
the  response,  the 
server  sets  a cookie 
with  some  name 
(sessid)  and  sends  it 
back  along  with  the 
rest  of  the  response. 


Web  Server 


HTTP/ 1. 1 200  OK 
Content-type:  text/html 
Set-Cookie:  sessid=  1 23 

<head>  ..  </head> 
<body> 

<hl>Welcome  .... 

HTTP 

Response 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 


On  each  response,  the 
server  can  change  a 
cookie  value  or  add 
another  cookie. 


Web  Server 


> f 

Browser 

host:  sessid=l23 
host:name=chuck 


HTTP/ 1. 1 200  OK 
Content-type:  text/html 
Set-Cookie:  name=chucl< 

<head>  ..  </head> 
<body> 

<hl>Welcome  .... 

HTTP 

Response 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 

Web  Server 

GET  /index.html  HTTP/I.I 
Accept:  www/source 
Accept:  text/html 
Cookie:  sessid=  1 23,name= 
User-Agent:  Lynx/2.4  w 

:Chucl<  | 

Browser 

From  that  point 
forward,  each  time  we 
send  a GET  or  POST 
to  the  server,  we 
include  all  the  cookies 
which  were  set  by  that 
host. 

HTTP 

> host:  sessid=l23 

Request 

host:name=chuck 

http://www.oreilly.com/openbook/cgi/ch04_02.html 

Cookie  Information  - http://www.dr-chuck.com/ 
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Security 

Cookies 

• We  ony  send  cookies  back  to  the 

Search:  Clear 

The  following  cookies  are  stored  on  your  computer: 

host  that  originally  set  the  cookie 

Site  Cookie  Name 

► go.com 

► gocalifornia.about.com 

• The  browser  has  *lots*  of  cookies 

► google.ch 

► google.co.jp 

for  lots  of  hosts 

► google.co.nz 

► google.co.uk 

► google.com  ~ 

• To  ses  all  Cookies:  Fi refox  -> 

Name:  <no  cookie  selected> 
Content:  <no  cookie  selected> 
Host:  <no  cookie  selected> 

Preferences  ->  Privacy  ->  Show 

Path:  <no  cookie  selected> 
Send  For:  <no  cookie  selected> 
Expires:  <no  cookie  selected> 

Cookies 

( Remove  Cookie  f ( Remove  All  Cookies  ) 

Two  Kinds  of  Cookies 


• Two  kinds  of  cookie 

• Long-lived  - who  you  are  - account  name  last  access  time  - you  can 
close  and  reopen  your  browser  and  it  is  still  there 

• Temporary  - used  to  identify  your  session  - it  goes  away  when  you 
close  the  browser 
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Welcome  to  SI539 


• About 

• Contact 

• Pictures 

• Membership 

• Chat 

• Application 


Please  Log  In 


-Required  Informati 
Enter  your  E-Mail: 


Enter  your  Password: 


University  of  Michigan  weblogin 


If  you  have  lost  your  password, 
membership@si539.com  to  ha\ 


AUTHENTICATION  REQUIRED:: 

You  are  connecting  to  a U-M  website  that  requires 
authentication.  Please  enter  your  Login  ID  (uniqname  or 
Friend  ID)  and  password  to  continue. 

Need  a Login  ID? 

If  you  don't  have  a Login  ID,  you  can  create  one  now. 


Login  ID 
Password 
► MToken 

(Log  In) 


Forgot  your  password? 

Login  Help 


By  using  this  service  you  agree  to  adhere  to  U-M  computing  policies  and  guidelines. 


Some  Web  sites  always  seem  to  want  to  know  who  you  are! 


In  The  Server  - Sessions 


• In  most  server  applications,  as  soon  as  we  meet  a new  browser  - we 
create  a session 

• We  set  a session  cookie  to  be  stored  in  the  browser  which  indicates 
the  session  id  in  use 

• The  creation  and  destruction  of  sessions  is  generally  handled  by  a web 
framework  or  some  utility  code  that  we  just  use  to  manage  the 
sessions 


Session  Identifier 

• A large,  random  number  that  we  place  in  a browser  cookie  the  first 
time  we  encounter  a browser. 

• This  number  is  used  to  pick  from  the  many  sessions  that  the  server 
has  active  at  any  one  time. 

• Server  software  stores  data  in  the  session  which  it  wants  to  have  from 
one  request  to  another  from  the  same  browser. 

• Shopping  cart  or  login  information  is  stored  in  the  session  in  the 
server 


Login  / Logout 

• Having  a session  is  not  the  same  as  being  logged  in. 

• Generally  you  have  a session  the  instant  you  connect  to  a web  site 

• The  Session  ID  cookie  is  set  when  the  first  page  is  delivered 

• Login  puts  user  information  in  the  session  (stored  in  the  server) 

• Logout  removes  user  information  from  the  session 


Using  Sessions  for  Other  Stuff 


Server 

Browser  A 

cool<=  1 0 

Session  10  Session  46 

user=chuck  User=jan 

bal-$  1 000  bal=$400 

Browser  B 

cool<=46 

Server 

Browser  A 

cool<=  1 0 

Session  10  Session  46 

user=chuck  User=jan 

bal-$  1 000  bal=$500 

Browser  B 

cool<=46 

Click 

withdraw: 

bal=bal-IOO 


Server 

Browser  A 

cool<=  1 0 

Session  10  Session  46 

user=chuck  User=jan 

bal-$  1 000  bal=$500 

Browser  B 

cool<=46 

withdraw: 

bal=bal-l00 

High  Level  Summary 

• The  web  is  “stateless”  - the  browser  does  not  maintain  a connection 
to  the  server  while  you  are  looking  at  a page.  Yu  may  never  come 
back  to  the  same  server  - or  it  may  be  a long  time  - or  it  may  be  one 
second  later 

• So  we  need  a way  for  servers  to  know  “which  browser  is  this?” 

• In  the  browser  state  is  stored  in  “Cookies” 

• In  the  server  state  is  stored  in  “Sessions” 


Review... 


Browser 


Click  Draw  Click  Draw 


Server 


Cookie/Session  Summary 

• Cookies  take  the  stateless  web  and  allow  servers  to  store  small 
“breadcrumbs”  in  each  browser. 

• Session  IDs  are  large  random  numbers  stored  in  a cookie  and  used  to 
maintain  a session  on  the  server  for  each  of  the  browsers  connecting 
to  the  server 

• Server  software  stores  sessions  ^somewhere*  - each  time  a request 
comes  back  in,  the  right  session  is  retrieved  based  on  the  cookie 

• Server  uses  the  session  as  a scratch  space  for  little  things 


Browser 


Click  Draw  Click  Draw 


